loudapet
commented
1 month ago Well, this clarifies things, sadly (RFC9112)
When an origin server receives a request with an absolute-form of request-target, the origin server MUST ignore the received Host header field (if any) and instead use the host information of the request-target. Note that if the request-target does not have an authority component, an empty Host header field will be sent in this case. A server MUST accept the absolute-form in requests even though most HTTP/1.1 clients will only send the absolute-form to a proxy.
http://localhost:8080/testing.htmlis recognized by nginx, but basically ignores both scheme and authority components.http://localhost:8080/testing.htmlwill net the same result ashttp://localhost:90/testing.htmlorhttp://localhost/testing.htmlor simplysmh://localhost/testing.html. That indicates it ignores those components, but it will still manage to find the resource and reconstruct the correct URI from the header fields - our parser currently refuses anything that doesn't start with a slash.http://testing.htmlcalls the default page (not sure why, probably considerstesting.htmla host name).